cap-bound

This file exports the so called "capability bounding set" to userspace: a list of capabilities that are allowed to be held by any process on the system. If a capability does not appear in the bounding set, it may not be exercised by any process, no matter how privileged.

The bounding set can be modified by writing a new value into this file. But there is a twist: capabilities may be removed from the set by root, but only one process (init) is allowed to add capabilities. For all practical purposes, once a capability is taken out of the bounding set, it is gone until the next reboot.